changeset 1888:a7b66ea18632

Don't set pubkey_info directly in checkpubkey_line This makes it safe to use from fuzzer-pubkey without leaking the value since the cleanup isn't called
author Matt Johnston <matt@ucc.asn.au>
date Wed, 16 Mar 2022 18:35:23 +0800
parents 30fd047f6ebf
children 45e552ee4391 40f8468ad4d4
files svr-authpubkey.c
diffstat 1 files changed, 15 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/svr-authpubkey.c	Wed Mar 16 17:32:43 2022 +0800
+++ b/svr-authpubkey.c	Wed Mar 16 18:35:23 2022 +0800
@@ -257,9 +257,12 @@
 
 }
 
+/* Content for SSH_PUBKEYINFO is optionally returned malloced in ret_info (will be
+   freed if already set */
 static int checkpubkey_line(buffer* line, int line_num, const char* filename,
 		const char* algo, unsigned int algolen,
-		const unsigned char* keyblob, unsigned int keybloblen) {
+		const unsigned char* keyblob, unsigned int keybloblen,
+		char ** ret_info) {
 	buffer *options_buf = NULL;
 	char *info_str = NULL;
 	unsigned int pos, len, infopos, infolen;
@@ -378,17 +381,20 @@
 	ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL);
 
 	/* free pubkey_info if it is filled */
-	if (ses.authstate.pubkey_info) {
-		m_free(ses.authstate.pubkey_info);
+	if (ret_info && *ret_info) {
+		m_free(*ret_info);
+		*ret_info = NULL;
 	}
 
 	if (ret == DROPBEAR_SUCCESS) {
 		if (options_buf) {
 			ret = svr_add_pubkey_options(options_buf, line_num, filename);
 		}
-		/* take the (optional) public key information */
-		ses.authstate.pubkey_info = info_str;
-		info_str = NULL;
+		if (ret_info) {
+			/* take the (optional) public key information */
+			*ret_info = info_str;
+			info_str = NULL;
+		}
 	}
 
 out:
@@ -470,7 +476,8 @@
 		}
 		line_num++;
 
-		ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, keyblob, keybloblen);
+		ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen,
+			keyblob, keybloblen, &ses.authstate.pubkey_info);
 		if (ret == DROPBEAR_SUCCESS) {
 			break;
 		}
@@ -587,7 +594,7 @@
 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
 		const char* algo, unsigned int algolen,
 		const unsigned char* keyblob, unsigned int keybloblen) {
-	return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen);
+	return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen, NULL);
 }
 #endif